Why Your Google Cloud Service Account Keys Are Expiring and How to Automate Renewal

FELFAL Bouabid April 12, 2026



Why Your Google Cloud service account keys are expiring and how to automate renewal in the USA. Practical tips to prevent authentication failures today.

If you've been working with Google Cloud Platform lately, you've probably noticed something strange happening. Your service account keys that used to work fine for months are suddenly expiring after just 90 days—or even less. It's frustrating, especially when you're in the middle of a project deadline and suddenly your application can't authenticate anymore.

You're not alone. Google has rolled out new security policies that enforce key expiration to protect against long-lived credentials that could be compromised. In this guide, I'll walk you through exactly why your Google Cloud service account keys are expiring, how to check their status, and most importantly, how to automate Google Cloud service account key renewal so you never get caught off guard again.

Why Are My Google Cloud Service Account Keys Expiring?

Here's what's happening: Google introduced an organization policy constraint called  that sets a maximum validity window for new service account keys. This wasn't just a random change—it's part of a broader push to reduce security risks from long-lived credentials that could sit forgotten in your codebase for years.
Most new keys now come with a fixed validity window, typically between 30 to 90 days. Some organizations even set them to expire in just hours or days for highly sensitive workloads. The good news? Existing keys aren't retroactively expired, so you won't wake up to a system-wide outage tomorrow. But any new key you create will be subject to these rules.
In my experience as a cloud consultant working with startups in Austin, Texas, I've seen teams scramble when their CI/CD pipelines suddenly fail because a service account key expired over a weekend. One client lost nearly 8 hours of deployment time because nobody was monitoring key expiration dates. It's a painful lesson that's becoming all too common across the USA as more companies migrate to Google Cloud.

Does Every Service Account Key Have an Expiration Date?

Not exactly. There are two types of service account keys in Google Cloud, and they behave differently:
Google-managed keys (created via the Console or  gcloud CLI) are subject to the organization-level expiry constraint we just discussed. These are the ones that will automatically get an expiration date based on your org policy.
User-managed keys (uploaded with a custom X.509 certificate) can have their own custom expiration dates that you control. However, even these aren't immune to scrutiny—Google's security tools will still flag keys that are older than recommended rotation periods.
Here's a quick comparison:
Key Type
Created By
Expiry Control
Best For
Google-managed
Console/CLI
Org policy enforced
Standard workloads, automated rotation
User-managed
Custom certificate
You decide
Special compliance needs, legacy systems


How Do I Check If a Service Account Key Is About to Expire?

You've got a few options here, depending on whether you prefer the command line or the web interface.
Using gcloud CLI:
bash

Using the Cloud Console:
  1. Go to IAM & Admin → Service Accounts
  2. Click on your service account
  3. Select the "Keys" tab
  4. Check the "Expiration" column

Can I Disable or Change the Expiry for Service Account Keys?

Technically, yes—but you probably shouldn't.
You can control the default expiry for new keys by setting the  iam.service...... organization policy at the project, folder, or organization level. The setting lets you specify the maximum lifetime in hours (up to 8760 hours, which is one year).
However, here's the reality: the industry trend is moving toward shorter-lived credentials, not longer ones. Security teams and compliance auditors are increasingly suspicious of keys that live for months or years. If you're working in regulated industries like healthcare or finance—common sectors here in the USA—you'll face stricter requirements anyway.
My advice? Don't fight the expiration. Instead, embrace automation.

What Is the Recommended Key Rotation Cadence?

Security best practices recommend rotating service account keys every 90 days or less. Some organizations with high-security requirements rotate every 30 days or even weekly.
Here's what most U.S.-based companies are doing:
  • Standard workloads: 90 days
  • Production-critical systems: 60 days
  • High-security/compliance environments: 30 days
  • Development/testing: 90-180 days
The key is consistency. Set a schedule, stick to it, and automate it. Manual rotation is where mistakes happen—like forgetting to update the key in your application before the old one expires.


Can I Automate Google Cloud Service Account Key Renewal?

Absolutely, and this is where things get interesting. Automation is your best friend when it comes to Google Cloud service account key rotation.
Here's the typical automation workflow:
  1. Create a new key using the IAM API or  gcloud command
  2. Store the new key in Secret Manager or your configuration system
  3. Update your application to use the new key (often automatic if you're using Secret Manager)
  4. Wait a brief overlap period (24-48 hours) to ensure all systems are using the new key
  5. Delete the old key to reduce your attack surface
You can implement this automation using:
  • Cloud Functions (serverless, event-driven)
  • Cloud Run (containerized microservices)
  • Cloud Scheduler (cron-style triggers)
  • Custom scripts running on a schedule
I've built several of these rotation systems for clients, and the most reliable approach combines Cloud Scheduler (to trigger every 89 days) with Cloud Functions (to do the actual rotation) and Secret Manager (to store the keys securely).

Where Should I Store Rotated Service Account Keys Securely?

This is critical: never store service account keys in your code repository, configuration files, or unencrypted environment variables. I've seen this mistake too many times, and it's a security nightmare waiting to happen.
The gold standard is Google Cloud Secret Manager. It provides:
  • Encryption at rest and in transit
  • Fine-grained IAM access controls
  • Automatic versioning
  • Audit logging
  • Easy integration with Cloud Functions, Cloud Run, and Compute Engine
Here's a quick comparison of storage options:
Storage Method
Security Level
Automation-Friendly
Recommended?
Secret Manager
★★★★★
★★★★★
✅ Yes
Encrypted file in Cloud Storage
★★★☆☆
★★★☆☆
⚠️ Acceptable
Environment variables
★★☆☆☆
★★★★☆
❌ Not recommended
Code repository
★☆☆☆☆
★★★★★
❌ Never
Local filesystem
★☆☆☆☆
★★☆☆☆
❌ Never


Should I Eliminate Keys Entirely?

Here's the million-dollar question: why use keys at all if you can avoid them?
Google Cloud offers modern alternatives that eliminate the need for downloadable JSON keys:
Workload Identity Federation lets your workloads authenticate using existing identity providers (like AWS, Azure, GitHub Actions, or your own OIDC provider) without ever creating a service account key.
Attached Service Accounts work natively with Google Cloud services like Compute Engine, GKE (Google Kubernetes Engine), and Cloud Run. Your workload automatically gets credentials without you managing any keys.
These approaches are the modern security standard and should be your first choice whenever possible. If you're starting a new project, seriously consider whether you need static keys at all.

What Happens If I Ignore Expiring Keys?

Let me be blunt: your applications will break.
When a service account key expires, any application, script, or service using that key will immediately fail authentication. 

The impact depends on what the key was doing:
  • CI/CD pipelines stop deploying
  • Data processing jobs fail
  • API integrations break
  • Monitoring and logging gaps appear
I once consulted for a healthcare startup in Boston that ignored key expiration warnings for three months. When their patient data synchronization service suddenly stopped working on a Monday morning, it took their team six hours to diagnose and fix—during which time critical health data wasn't syncing between systems. Don't be that team.

How Do I Detect and Delete Unused or Old Keys?

Regular housekeeping is essential. Here's how to find and remove stale keys:
Manual detection:
bash
Automated detection: Use Cloud Logging and custom scripts to identify keys older than your policy threshold (e.g., 90 days) or keys that haven't been used recently.
Third-party tools: Security platforms like CSPM (Cloud Security Posture Management) tools can scan your Google Cloud environment and flag long-lived or unused keys automatically.
Best practice: Set up a monthly review process where you audit all service accounts and their keys. Delete anything you don't recognize or haven't seen activity from in 30+ days.


Is There a Way to Monitor Key Expiry Events in Google Cloud?

Yes, and you should definitely set this up.
Google Cloud provides several monitoring options:
  1. Cloud Audit Logs: Track when keys are created, deleted, or used
  2. Cloud Monitoring: Set up alerts based on key age or expiration dates
  3. Eventarc: Create event-driven workflows that trigger when keys approach expiration
  4. Cloud Scheduler + Cloud Functions: Build custom monitoring that checks key dates and sends notifications
I recommend setting up alerts at:
  • 60 days before expiration (warning)
  • 30 days before expiration (urgent)
  • 7 days before expiration (critical)
This gives you multiple opportunities to rotate keys before they cause outages.

Can I Use Short-Lived Credentials Instead of Static Keys?

Absolutely, and this is the future of cloud authentication.
Short-lived OAuth2 tokens and OpenID Connect (OIDC) tokens typically expire in 1 hour or less, dramatically reducing the risk window if they're compromised. These tokens are automatically refreshed by Google Cloud client libraries, so your code doesn't need to manage expiration.
Workload Identity Federation (mentioned earlier) takes this further by eliminating static keys entirely and using federated identity providers.
The shift toward short-lived credentials is part of a broader zero-trust security model that's becoming standard across U.S. enterprises. If you're still relying on static keys that live for months, it's time to modernize.

Common Mistakes to Avoid

I've seen countless teams make these errors when dealing with service account key expiration:
Hardcoding keys in source code - This is security malpractice. Use Secret Manager.
Setting rotation reminders but ignoring them - If you're going to automate, actually automate. Half-measures cause outages.
Creating new keys without deleting old ones - This increases your attack surface. Always clean up.
Using the same key across multiple environments - Production, staging, and development should have separate keys with different rotation schedules.
Not testing the rotation process - Practice your key rotation in a non-production environment first. You don't want surprises in production.
These patterns are so common, yet so preventable. Take the time to do it right.

Editor's Opinion: What I Would Actually Do

Look, I've been managing Google Cloud infrastructure for years, and here's my honest take:
I would absolutely automate key rotation using Cloud Functions and Secret Manager. The upfront time investment (maybe 4-6 hours to set up properly) pays for itself the first time you avoid a production outage.
I would eliminate static keys wherever possible by using Workload Identity or attached service accounts. If a key doesn't need to exist, it can't expire or get compromised.
I would NOT try to extend key lifetimes beyond 90 days just to reduce rotation frequency. That's false economy—the security risk isn't worth saving a few hours of automation work.
What I'd avoid: Manually rotating keys through the console. It's error-prone, doesn't scale, and you'll forget eventually.
If you're just starting out, begin with Secret Manager and a simple Cloud Scheduler job. You can always make it more sophisticated later.


Your Next Steps

Ready to get control of your service account key expiration? Here's what to do this week:
  1. Audit your current keys - Run the  gcloud command to list all keys and their expiration dates
  2. Set up Secret Manager - If you're not using it already, start here
  3. Create a rotation calendar - Mark expiration dates and set reminders 30 days in advance
  4. Build a simple automation - Even a basic Cloud Function triggered by Cloud Scheduler is better than manual rotation
  5. Plan for keyless authentication - Start evaluating Workload Identity for new projects
The landscape of cloud security is changing, and Google's enforcement of key expiration is just the beginning. By automating now, you're future-proofing your infrastructure and sleeping better at night.

Let's Hear From You

Have you dealt with unexpected service account key expiration? What automation solutions have worked for your team? Drop a comment below and share your story—I read every single one and often respond within 24 hours.
If you found this guide helpful, share it with your DevOps team or post it in your company's Slack channel. And if you're still stuck, feel free to reach out—I'm always happy to help fellow cloud engineers navigate these challenges.


Sources & Further Reading

Official Google Cloud Resources:
Security Best Practices:

FELFAL Bouabid

Posted by FELFAL Bouabid

Post a Comment

0 Comments